The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

is this a security hole?

I got a .htaccess file, that redirects URLs to /loader.php?include_page=[whatever you type], as follows:

RewriteEngine on
RewriteRule ^(.*)$ loader.php?include=/$1 [QSA,L,NC]

so, for instance, if you visit /search/foo/, apache redirects traffic to /loader.php?include=/search/foo/

eventually (after doing lots of stuff), loader.php includes the page specified in $_GET['include'], in this way:
include '/app/webroot' . $_GET['include']

it looks to me like a bad security hole, but I've tried all possible values I could think of, and nothing bad happened.

I think this doesn't allow loading external sites or system files like /etc/passwd, because the way the include is, the file must be inside /app/webroot, and whatever it's in this directory you access from the web anyway.

That jails you to the application directory regardless though, doesn't it ?
What if you have multiple sites using the same includes ?

If the path goes outside of the desired location, or goes to a location that doesn't exists. That would tell me that someone is trying to hack into the system, and/or find an exploit. The common user is not going to forge paths.

And I'm not sure what "...multiple sites using the same includes..." is suppose to mean in this context.

Logic without the fatal effects.
All code snippets are licensed under WTFPL.

The first path is the DocumentRoot for an Apache virtual host named "domain-one.com", the second path is a DocumentRoot for "domain-two.com", and the third path is a set of common includes accessible by both sites so the administrator doesn't need to maintain two sets of includes for the two sites.